Openclaw Sentinel
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (ignore-previous-instructions); human review is required before treating this skill as clean.
Before installing, verify the external ai-sentinel package and choose Community/local mode if you do not want OpenClaw message data sent to Zetro. If using Pro, avoid raw-content telemetry unless necessary and keep the API key out of source control. ClawScan detected prompt-injection indicators (ignore-previous-instructions), so this skill requires review even though the model response was benign.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Security scanners may flag the phrase, but within this artifact it is used to test blocking behavior.
This is a literal prompt-injection phrase, but it is presented as a test payload for the security tool.
`npx openclaw sentinel test "Ignore all previous instructions"` returns a `blocked` action
Keep these strings quoted as test inputs and do not treat them as operational instructions.
If enforce mode is enabled or thresholds are too strict, legitimate messages may be blocked.
The plugin can be configured to block OpenClaw traffic, which is expected for a prompt-injection firewall but materially affects agent behavior.
`enforce` - Block messages that exceed the threat confidence threshold
Start in monitor mode, review detections, and only enable enforce mode after testing.
The installed plugin will run in the OpenClaw environment, so users must trust the external package source.
The setup depends on installing external plugin code from the OpenClaw/npm ecosystem; the package implementation is not included in the reviewed artifacts.
`openclaw plugins install ai-sentinel`
Verify the package name, publisher, source, and version before installing; pin a trusted version where possible.
A Pro API key stored in project files could be exposed if committed or shared accidentally.
The skill may use a service API key for Pro features, but it is disclosed as optional and purpose-aligned.
AI_SENTINEL_API_KEY ... Only needed for Pro tier remote classification and dashboard.
Store the key only in local environment files, ensure .env is ignored by git, and rotate the key if exposed.
Sensitive prompts, tool results, or message content could leave the local machine if Pro cloud-scan or raw-content telemetry is enabled.
Pro mode can transmit scan data, and in some modes message content, to an external service; the artifact discloses this and requires consent.
Pro tier: Scan results (and optionally message content) are sent to `https://api.zetro.ai` for dashboard reporting and analytics.
Use Community/local mode or telemetry without raw content for sensitive projects, and review the provider privacy policy before enabling Pro.